Cisco and Yahoo have joined forces with several anti-spam companies to propose a standard for filtering junk out of in-boxes.
Software companies SendMail and PGP worked with the others on DomainKeys Identified Mail (DKIM), which works through public key cryptography. Each message gets a signature, which can then be checked for authenticity by verifying the originating domain and whether the message has been tampered with.
The technology has been submitted to the Internet Engineering Task Force (IETF), which sets Internet standards. It will discuss the proposal the end of this month.
Microsoft, which is listed as a partner in the DKIM alliance, has also proposed its own standard, Sender ID, which works by verifying that a message was actually sent from the domain claimed in the “from” field and other parts of the message.
Although this is a good step, analysts say there is no magic technology that will eliminate all spam and phishing attempts.
“I think some of the recent press about DKIM paints it as more of a panacea than it actually is,” Ed Moyle, president, SecurityCurve, told TechNewsWorld. “Specifically, DKIM is not a universal solution to phishing or spamming. It does help to mitigate address spoofing, which is a very real problem that facilitates phishing and spamming, but it does not achieve the end goal of eliminating either entirely.”
There are problems with both technologies, Peter Firstbrook, research director, Gartner, said.
“There are some legitimate reasons why e-mail might originate from an IP address that is not registered (e.g. remote and traveling workers and mobile devices, backup systems),” he wrote in an e-mail to TechNewsWorld. “Spammers can simply publish their own sender ID/domain key records, meaning the authentication will be pointless. Although it will make black lists more useful, spammers will simply have to change IPs with each new campaign.”
Time to Get Moving
But Forrester analyst Jonathan Penn said the real issue is implementation speed.
“But the ultimate problem we have here isn’t with the various specifications. It’s that the great is the enemy of the good. Everyone has been fretting about these imperfections for over a year already,” he told TechNewsWorld. “And while these developers fuss and fret over these finer points, sender validation isn’t being employed to fight the spam and phishing problems. So in the meantime, spam volume continues to double every year and the phishing problem is getting exponentially worse.”
Alt-N Technologies, AOL, EarthLink, IBM, Microsoft and VeriSign, are also involved in DKIM technology.